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Abstract 

This paper studies the security of an image encryption scheme based on the Hill 
cipher and reports its following problems: 1) there is a simple necessary and sufficient 
condition that makes a number of secret keys invalid; 2) it is insensitive to the change 
of the secret key; 3) it is insensitive to the change of the plain-image; 4) it can be 
broken with only one known/chosen-plaintext; 5) it has some other minor defects. 
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1 1 Introduction 



2 The history of cryptography can be traced back to the secret communication 

3 among people thousands of years ago. With the development of human society 

4 and industrial technology, theories and methods of cryptography have been 

5 changed and improved gradually, and meanwhile cryptanalysis has also been 
e developed. In 1949, Shannon published his seminar paper "Communication 
7 theory of secrecy systems" [1], which marked the beginning of the modern 
s cryptology. 

gin the past two decades, the security of multimedia data has become more 

10 and more important. However, it has been recognized that the traditional 

11 text-encryption schemes cannot efficiently protect multimedia data due to 

12 some special properties of the multimedia data, such as strong redundancy 
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13 and bulk size of the uncompressed data. To meet this challenge, a number 

14 of special image encryption schemes based on some nonlinear theories were 

15 proposed [2-4]. Yet, many of them are found to be insecure from the view 
le point of cryptography [5-17]. 

17 In [18], Ismail et al. tried to encrypt images efficiently by modifying the clas- 
sical Hill cipher [19]. This paper studies the security of the scheme proposed 
win [18] and reports the following findings: 1) there exist a number of invalid 

20 secret keys; 2) the scheme is insensitive to the change of the secret key; 3) 

21 the scheme is insensitive to the change of the plain-image; 4) the scheme can 

22 be broken with only one known/chosen plain-image; 5) the scheme has some 

23 other minor performance defects. 

24 The rest of this paper is organized as follows. The next section briefly in- 
25troduces the encryption scheme to be studied. Section [3] presents detailed 
26 cryptanalysis of the scheme. The last section concludes the paper. 



27 2 The image encryption scheme to be studied 



The scheme proposed in [18] scans the gray scales of a plain-image P (or 
one channel of a color image) of size M x N in a raster order and divides it 
into \MN/rn\ vectors of size m: {Pi}\=i N ^ m \ where Pi = {P((l — 1) • m + 
1), • • • , P((l — 1) • m + m)} (the last vector is padded with some zero bytes if 
MN can not be divided by m). Then, the vectors {Pi}\=i N ^ m ^ are encrypted 
in increasing order with the following function: 

d = (P ■ K{) mod 256, (1) 

where Ki = (Ki[i,j]) mxm , Ki[i,j] G Z 2 56, the initial state of K\>2 is set to 
be Ki_i, and then every row of K\ is generated iteratively with the following 
function, for % = 1 ~ m: 

2^[v] = (IV-X,)mod 256, (2) 

2B where IV is a vector of size lxm and IV [i] G Z 256 . Finally, the cipher- image 

29 is obtained as C = {Ci)\=^ m ^ . 

30 The secret key of the encryption scheme includes three parts: m, K , and IV. 

The decryption procedure is the same as the above encryption procedure ex- 
cept that Eq. (jTJ) is replaced by the following function: 

P t = (Q ■ Kf 1 ) mod 256, (3) 
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3i where (K\ ■ K l *) mod 256 = I, the identity matrix. 



32 3 Cryptanalysis 



33 3. 1 Some Defects of the Scheme 



34 3.1.1 Invalid keys 

35 An invalid key is a key that fails to ensure the success of the encryption scheme. 

36 From the following Fact [1] and Corollary [H one can see that one secret key 

37 in the above-described scheme is invalid if and only if gcd(.Ki, 256) / 1 or 
se IV\i] mod 2 = 0. 

39 Fact 1 A matrix K is invertible in Z n if and only if gcd(det(K) , n) = 1. 

40 Proposition 1 det{K t ) = (f[ IV[iU det(-Kn). 

Proof: According to Eq. ([2]), there is a relation between Ki and Ki-i, as 
follows: 



Ki 



E IV[i]Ki-![i, :] 



i=l 



IV[l)K l [l,-] + T,IV\i}K l _ 1 [i, 

i=2 



m—1 



E IVftKfal+IVWKt-dm,:] 

i=l 



mod 256. 



(4) 



i — 1 

41 Subtracting E IV[i]Ki[i, :] from .Ki[io> : ] for io = m ~ 2, one gets 
< i 



m \ 

E IV[i\Ki-. x [i, :1 » 

i=l 
m 

EIV[z]^_![z,: 

i=2 



\ IV[m]Ki-i[m,:] ) 



mod 256. 



(5) 



42 Subtracting K'^Iq, :] from K'^Iq — 1, :] for i = 2 ~ m, one has 



( TVpwfl,:] 
IV[2]K^[2,:] 

y JV[ffl]K(_i[m,:] y 



mod 256. 



(6) 



43 Obviously, det{K t ) = det(K[) = det(-Kf) = 

44 completes the proof of the proposition. 

4 5 Corollary 1 det(iiQ) = ^J] JV[*]J det(Ki). 



n IV[i] det(K/_i), which 
i=i ' ' ' 



, Proof: The result directly follows from Proposition [TJ 



47 3.1.2 Insensitivity to the change of the secret key 

4B Although it is claimed in [18, Sec. 5] that the encryption scheme is very sen- 
49sitive to the change of the sub-keys Ki, IV, this is not true. 

50 Let's first study the influence on Ki> 2 if only one bit of Ki is changed. Without 

51 loss of generality, assume that the n-th significant bit of Ki(l,j ) is changed 

52 from zero to one, where < n < 7. Let K\ denote the modified version of K[. 

53 The change D\ — K\ — K\ can be presented by the following two equations: 



Di[.,j ] 



Di[:,j] = 0,for j ^ j , 

m 

E JV[i]A-i[i,jo] 



(7) 



i=l 



rv[\\D l [i,j Q \ + T.rv[i\D l ^[i t j Q \ 

i=2 



m—1 



E IV[i]A[i,Jo]+IV[m]D,- 1 [m,jo] 



mod 256, (8) 



i=i 



54 where Dx[l,j ] = 2 n , D^ijo] = 0, z = 2 ~ m. 



Since JV[i] mod 2^0, -Df [i, Jo] 7^ always exist. From Eq. (jSJ), one can see 
that -D;[i, jo] > 2 n exists, which means that only the n -th bit of Ci[j ] may 
possibly be changed, where hq > n. Note also that there is no influence on C\ 
if 

(PzAMo]) mod 256 = 0. 
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To verify the above analysis, an experiment has been carried out using a plain- 
image "Lenna" with the secret key 



m = 4, IV = (3 9 17 33), -Hi 



11 2 3 7 
8 5 19 103 
201 203 119 150 
7 9 21 35 



(9) 



55 Only the 5-th significant bit of K\ [1, 2] is changed, namely K\ [1,2] = [K\ [1, 2] + 

56 2 5 ) mod 256. Let C denote the cipher-image corresponding to K\ . The bit- 

57 planes of difference \C — C\ are shown in Fig. [TJ which demonstrates the very 
se weak sensitivity of the encryption scheme with respect to K\. 




a) ~ 4-th b) 5-th c) 6-th d) 7-th 

Fig. 1. The bit-planes of \C — C| when one bit of K\ is changed. 

59 Now, consider the influence on Ki> 2 if only one bit of IV is changed. Without 

60 loss of generality, assume the n-th significant bit of is changed from 
ei zero to one. Similarly, let D[ denote the change of K[. Due to the extremely 
62 complex formulation of -D/>3, only D 2 is shown here. 



63 where j 



i^i[i,i]2 n 

D 2 [l,j](IV[l]+2 n )+K 2 [l,j]2 n 
D 2 [2,j]+IV[2]D 2 [2,j] 



m—X 

D 2 [2,j}+ E IV\i]D 2 [iJ] 

i=2 



mod 256, 



(10) 



m. 



64 To see the influence of the change of IV, an experiment has been carried out 
65 using plain-image "Lenna", with the same secret key shown_in Eq. (Q above, 
ee Only the 5-th significant bit of JV[1] is changed, namely JV[1] = (JV[1] + 
67 2 5 ) mod 256. The bit-planes of difference between cipher-images corresponding 
es to IV and IV, respectively, are shown in Fig. [2J 
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69 Comparing Fig. [T] and Fig. [21 one can see that the sensitivty with respect 
70 to IV is much stronger than the one with respect to K\, which agrees with 

71 the above theoretical analysis. But one bit change of a sub-key of a secure 

72 cipher should cause every bit of the ciphertext changed with a probability of 

73 J- Obviously, the sensitivity of the encryption scheme with respect to sub- keys 
™K\, IV is very far from this requirement. 





^E^OT^^SillM^ll^^Sii^^^MS^K^ SiSffi^^^^^^^^^^^^^^S^^^^^^^^P ra»^r^^^^^^»^^^sii*i^l r ^t*,';i!?^rJ& 

b) 5-th c) 6-th d) 7-th 

Fig. 2. The bit-planes of |C — C| when one bit of IV is changed. 



ib 3.1.3 Insensitivity to the change of the plain-image 

76 This property is especially important for image encryption since an image and 

77 its watermarked version may be encrypted simultaneously. 

7B Since the role of Pi in Eq. (CQ) is exactly the same as that of IV in Eq. (j2J), 
79 the analysis about its insensitivity to the change of the plain- image can be 
so carried out just like the case about the sub-key IV discussed above. 



si 3.1.4 Some other problems 

82 The encryption scheme has the following additional problems: 

83 (1) cannot encrypt plain-image of a fixed value zero; 

(2) efficiency of implementation is low: From [20, Thorem 2.3.3], one can see 
that the number of invertible matrices of size m x m in Z256 is 

m— 1 

|GL(m,Z 256 )| = 2 7m2 n(2 m -2 fc ). (11) 

k=0 

Thus, the probability that a matrix of size mxmin Z 2 56 is invertible is 
»■= yi' 2) = 11(1-2-*) "4 (12) 

k=l 

84 So, it needs 0(3m 2 ) and 0(m 2 ■ MN) times of computations, respectively, 
as for checking the reversibility of K\ and for calculating {Kf 1 }^ 1 -^^™^ . 
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86 Note that these computations have no direct contributions to protecting 

87 the plain-image. 

as (3) the scope of sub-key m is limited: As discussed above, the larger the value 

89 m the higher the computational cost. 

90 (4) the confusion capability is weak: This problem is caused by the linearity of 

91 the main encryption function. To demonstrate this defect, the encryption 

92 result of one special plain-image is shown in Fig. [3], where Figure [3b) also 

93 effectively disproves the conclusion about the quality of encryption results 

94 given in [18, Sec. 4]. 




a) plain-image b) cipher-image 

Fig. 3. A special test image, "Test_pattern" . 



95 3.2 Known/ Chosen-Plaintext Attack 



96 The known/chosen-plaintext attack works by reconstructing the secret key or 

97 its equivalent based on some known/chosen plaintexts and their corresponding 

98 ciphertexts. 

For this encryption scheme, the equivalent key {Ki}i=i*^ m ^ can be recon- 
structed from m plain-images ~ p( m ) and their corresponding cipher- 
images C^ 1 ' ~ C^ m ) by using 



K 



( C {1) W 



(2) 



ci 



. Mm) 



mod 256, 



(13) 
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where 



/ p(i) \ 



*(B) 



>(2) 



(14) 



V 



,(m) 



/ 



99 The reversibility of can be ensured by utilizing more than m plain-images 

100 or by choosing m special plain-images. Note that the above known/chosen- 

101 plaintext attack can be carried out with only one know/chosen plain-image 

102 due to the very short period of sequence {Ki[:, for j = 1 ~ m. To 
103 study the period of this sequence, 10,000 tests have been done for a given 
104 value of IV of size 1x3, where K\ is selected randomly. The numbers of 



105 tests where the corresponding sequence {Ki{:, l)}\=x /ml[ has period p, N } 
we with some values of IV, is shown in Tabled], which shows that the period of 



{Ki[:,j]} 



[MN/rn] 



is indeed very short. 



Table 1 

Values of N p with some values of IV, p = 2 s , s = 3 ~ 9. 



IV 


iV 8 


iVl6 


iV 32 


iV 6 4 


iVl28 


iV 256 


iV 5 12 


(91, 63, 45) 

















1463 


8537 


(113, 25, 219) 


14 


34 


127 


561 


3561 


5703 





(253, 115, 17) 


6 


20 


72 


284 


1081 


8537 





(1, 3, 5) 








98 


284 


1081 


8537 





(5, 121, 247) 


7 


36 


132 


561 


3561 


5703 






los 4 Conclusion 



login this paper, the security and performance of an image encryption scheme 
no based on the Hill cipher have been analyzed in detail. It has been found that 
in the scheme can be broken with only one known/chosen plain- image. There 
n2 is a simple necessary and sufficient condition that makes a number of secret 
in keys invalid. In addition, the scheme is insensitive to the change of the se- 
lucret key/plain- image. Some other performance defects have also been found, 
us In conclusion, the encryption scheme under study actually has much weaker 
n6 security than the original Hill cipher, therefore is not recommended for appli- 
H7 cations. 
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